Managing information risks: Do you have IT governance?

Think you've got IT governance under control? You probably don't, says security guru Kevin Beaver. Read up on the problems you may be facing in your shop (that you're unaware of) and the steps you can take to educate yourself on governance fundamentals.

Think you've got IT governance? Probably not. And empty promises on paper or fancy technologies that aren't managed the right way aren't going to cut it. However, again and again that's what I see when it comes to managing information risks.

Download this free guide

72-Page PDF: Windows 10 Frequently Asked Questions

In this comprehensive guide, our experts answer the most frequently asked Windows 10 questions ranging from the OS itself, to migration, to user-adoption, and everything in between.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

With documentation, I see everything from stale policies addressing 5 1/4-inch floppies and Word macro viruses to incident response plans focusing on what to do when the network is attacked via dial-up modem. I even see outdated references to auditor checklists with eight or 10 questions concerned mostly with passwords being at least six characters long and containing both letters and numbers.

Likewise, when it comes to security controls, I see and hear everything from audit logging that tracks every event under the sun without a single person monitoring what's going on to "Yep, we have a firewall and antivirus software -- that's all we need, right?" Or, how about this one: "We trust our employees -- we gave them a copy of our policy document when they started working here and they know to be on the lookout." There's even my favorite: "We perform ongoing security testing. Here's a copy of our report from three years ago." Even with all the known hacks, social engineering breaches and clear and concise compliance requirements, this mode of operation is still what's driving the information security function within a lot of organizations.

Let me get to the root of the problem: It's the higher-ups on mahogany row. You know what I mean … your boss and his colleagues who can't be bothered with the burdens associated with information security. By and large, management is disconnected from information security and IT governance in general. In fact (see if you recognize this), if something bad ever happened -- be it a lost laptop, a social engineering attack, a widespread malware outbreak or whatever -- and systems were down and information was lost, those higher ups really wouldn't have any good answers for the auditors, regulators, investigators, business partners or shareholders.

Many managers hold the belief that they need to focus on what makes money and let someone else -- like you, the network administrator -- manage all that annoying hacker, virus and compliance stuff. It's a lot easier for them to bury their heads in the sand and pretend that none of it affects their business and their bottom line.

The problem doesn't stop there. It's up to you to make some of it happen. This requires having goals, documenting how you're going to meet those goals and prioritizing how you're going to get there. I know this is easier said than done, especially when you've got major projects to manage and users breathing down your neck who need something new each day.

In terms of IT governance and managing information risks, unless you have sustainable, repeatable and automated (where possible) processes combined with reasonable policies that are enforced by technical and human-based controls, there's still some work to do. Don't worry -- all of this compliance and governance stuff is still in its infancy and will always be a work in progress. Do your organization and your career a favor and educate yourself on the fundamentals, which are:

Understand that threats + vulnerabilities = risk

Focus on your highest payoff tasks

Never forget that reasonable policies that are enforced and kept up to date are a required ingredient

If you can fine-tune your efforts in these areas and pay attention to what's best for the business, in a relatively short period of time you'll be able to build out an IT governance program you never thought would be possible. Unlike most things political, this is the kind of governance that's good for everyone.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy